Surveillance

The Spy in Your Pocket

Byron Tau's Means of Control documents how the private sector helps government agencies keep tabs on American citizens.

|

Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New American Surveillance State, by Byron Tau, Crown, 400 pages, $32

A cop pulled over Ivan Lopez in Somerton, Arizona, a small town near the Mexican border. The officer claimed that Lopez had a broken taillight and had been speeding. A drug-sniffing dog then indicated possible contraband; police searched his truck and found fentanyl, cocaine, heroin, and meth. Lopez subsequently agreed to a plea deal where he would serve 84 months in prison for drug smuggling.

The traffic stop was in 2018. Lopez (and his lawyers) didn't find out until 2020 that it was neither the traffic offenses nor the dog that led to Lopez's downfall: It was location data from his phone, which revealed he was passing through the border at a place where there was no monitored crossing. A secret underground tunnel led from Mexico to a property he owned in the Arizona border town of San Luis.

A handful of small-town border cops hadn't been actively monitoring Lopez's phone location. They were purchasing the information from third-party brokers, who were collecting GPS data produced by the apps on Lopez's phone.

Byron Tau, then a Wall Street Journal reporter, reported that year that the federal government, particularly immigration officials, had begun purchasing such data, which had typically been meant for use by advertising companies. (It was Tau who told Lopez's lawyers about the data purchases, in the course of reporting his story.) In this way, both local and federal police were bypassing Fourth Amendment restrictions to get information that would typically require probable cause and a warrant.

Such stories animate Tau's Means of Control, a book that documents how, across more than two decades, our government has turned to the private sector to keep tabs on us, all while both the authorities and the companies involved do everything they can to keep Americans in the dark.

***

Tau starts, as almost all modern tellings of the American surveillance state must, with the September 11 attacks. As the federal government realized there were holes in its intelligence operations, people in the private business of gathering and selling personal data realized their information may be of use.

In the days following 9/11, a data collection firm called Acxiom decided to run the terrorists' names through its databases to see what it could find. It found information about 11 of them. Then the company expanded its search to cover people who shared addresses with the men, looking for connections to others within the U.S. who might be planning attacks. Meanwhile, a rival firm, Seisint, was doing something similar, trying to develop profiles of potential terrorists and searching through the company's data to see who matched.

This was a fishing expedition—a broad search of information in the hopes of finding evidence of misconduct. Before police can collect or search our data, they are supposed to have a reasonable suspicion that the individuals involved are engaged in criminal activity; they aren't supposed to gather people's data first and then look it over to see if they've done anything wrong. But Axciom and Seisint aren't law enforcement agencies, and that's where the privacy protections start to break down.

The third-party doctrine, which dates back to Supreme Court rulings from the 1970s, holds that data that Americans voluntarily provide to banks, phone companies, and other third parties do not have the same Fourth Amendment protections as data we store for ourselves. In the wake of 9/11, interestingly, Defense Department lawyers actually warned Pentagon officials away from attempting to incorporate data from these firms into their intelligence.

Those warnings went unheeded. Tau's book is an in-depth account of how the U.S. went from a place where federal lawyers cautioned against combing through privately gathered data to one where government agencies spend untold sums of taxpayer money purchasing the information.

People who follow data privacy issues may already be familiar with some of the stories in this book. In 2019, for example, a government contractor warned that the gay hook-up app Grindr's data about its users—and their locations—was accessible to anybody with access to the exchanges that sell ads to apps. Since a Chinese company had purchased a majority stake in Grindr in 2016, this led to fears of national security risks. Eventually the foreign company was forced to sell its stake. This saga saw wide press coverage.

What wasn't as widely covered is that many other apps have the same flaw. Tau shows that as phones increasingly became people's personal data storage centers, so did the amount of private information citizens were—whether they realized it or not—providing to private firms. This produces a marketplace where secretive middleman companies collect data from these apps and ad exchanges and then quietly sell it to the government. When apps or platforms put privacy restrictions in place that say no data should be used for government tracking purposes, the middleman companies step in and allow the authorities to bypass those rules. As Lopez and his lawyers would discover, this secretive system can also make it impossible to challenge the source or legitimacy of information used against people in court.

"Both the user and the app developer cannot definitively say what the uses are after the data leaves their control," Tau writes. "They cannot guarantee that the data will be used only for commerce or analytics. Once data is collected and sold, what happens with it cannot be guaranteed by anyone."

***

Tau's extensive research gives readers a detailed tour of the bafflingly complex ecosystem of brokers and buyers of this information. The cynical may be surprised to learn that there are people within the government who treat citizen privacy seriously and resist these surveillance methods. The cynical will not be surprised when other officials and their private-sector allies figure out ways to get around that resistance.

Even as Tau shows us how transparent our lives are, much of the process by which data is transferred into the hands of brokers and then to the government remains fairly opaque. This isn't a critique of Tau's writing or research: This book has a lot to teach about how this secret marketplace came into being and how it works. Nevertheless, as Tau acknowledges, even he was able to penetrate only so much of the system.

Tau never loses sight of the fact that government is the driving force behind this marketplace. Any potential solution that actually works would likely involve either legislative action or court decisions restricting what data the government can collect. Some of this, though not enough, has already happened: In 2018's Carpenter v. United States, the Supreme Court ruled that police need warrants to access cellphone tracking data.

The bipartisan Fourth Amendment Is Not For Sale Act would forbid the government from buying Americans' device data from third-party brokers and instead make the authorities seek a court order before they can gather data from the original app or platform. As Tau notes, the bill garnered unanimous support from the Republican-led House Judiciary Committee this past July, which would seem like a positive sign. But an attempt to fold the legislation into a larger surveillance reform bill failed, and the measure's future is unclear.

Thus, it is still unfortunately useful that Means of Control includes an appendix offering "An Ordinary Person's Guide to Digital Privacy"—a how-to guide for people who want to protect their own data. As Tau says, "Nobody ever went bankrupt betting on Congress doing nothing."